From ${URL} : Description Multiple vulnerabilities have been reported in Oracle MySQL, which can be exploited by malicious users to cause a DoS (Denial of Service) and compromise a vulnerable system and by malicious people to disclose sensitive information, manipulate certain data, and cause a DoS. 1) An error within the InnoDB subcomponent can be exploited to execute arbitrary code. 2) An error within the RBR subcomponent can be exploited to execute arbitrary code. 3) An error within the MySQL Client can be exploited to disclose, update, insert, or delete certain data and to cause a crash. 4) An error within the DML subcomponent can be exploited to cause a crash. 5) An error within the InnoDB subcomponent can be exploited to cause a crash. 6) An error within the MyISAM subcomponent can be exploited to cause a crash. 7) An error within the Optimizer subcomponent can be exploited to cause a crash. 8) An error within the Partition subcomponent can be exploited to cause a crash. 9) An error within the XML subcomponent can be exploited to cause a crash. 10) An error within the Performance Schema subcomponent can be exploited to cause a crash. 11) An error within the Privileges subcomponent can be exploited to cause a crash. 12) An error within the Replication subcomponent can be exploited to cause a crash. 13) An error within the Federated subcomponent can be exploited to cause a crash. 14) An error within the Options subcomponent can be exploited to cause a crash. Please see the vendor's advisories for a list of affected versions. Solution: Apply update. Further details available to Secunia VIM customers Provided and/or discovered by: It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2014 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixMSQL @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-2440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2440): Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2014-2438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2438): Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. CVE-2014-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2436): Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. CVE-2014-2435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2435): Unspecified vulnerability in Oracle MySQL Server 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. CVE-2014-2434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2434): Unspecified vulnerability in Oracle MySQL Server 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to DML. CVE-2014-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2432): Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. CVE-2014-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2431): Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options. CVE-2014-2430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2430): Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
CVE-2014-2419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2419): Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. CVE-2014-0384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0384): Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML.
Added to existing GLSA request
This issue was resolved and addressed in GLSA 201409-04 at http://security.gentoo.org/glsa/glsa-201409-04.xml by GLSA coordinator Sergey Popov (pinkbyte).
